Embed Size (px)
Citation preview
BPR4GDPR
Project Presentation
Project ID
• Project acronym: BPR4GDPR
• Project title: Business Process Re-engineering and functional toolkit for GDPR compliance
• Contract number: 787149
• Funded under the H2020 call DS-08-2017
• Innovation Action (IA)
• Duration: 01/05/2018 – 30/04/2021 (36 months)
• Total cost: 3.792.149 €
• Requested EU contribution: 2.974.012 €
Motivation
• The GDPR comprises a milestone in the area of data protection • It fills the “regulatory gap” of the last years, and
• it creates an environment able to cope with the technological and business reality
• However… • Organisations declare difficulties in GDPR provisions’ implementation
• This applies particularly to SMEs
• Challenges include: GDPR requirements interpretation, operational adaptation, customer relationship management, management of third parties, enforcement of security mechanisms, accountability, lack of resources…
• High market demand for compliance facilitation!
BPR4GDPR Vision
A new GDPR compliance paradigm!
• Tools and methodologies for facilitating the implementation of the appropriate technical and organisational measures
• Particularly tailored to SMEs with limited resources
The BPR4GDPR approach consists in:
• Automatic workflows re-engineering to become compliant by design
• A “compliance toolkit” with common functions for run-time enforcement
• Policy-based framework governance conceived on the basis of GDPR
• Mechanisms for offering Compliance-as-a-Service
Goal Statements
1. Reference compliance framework
2. Sophisticated security and privacy policies
3. By design privacy-aware process models
4. Compliance-driven process re-engineering
5. Compliance toolkit
6. Compliance-as-a-Service (CaaS)
7. Comprehensive trials
8. Impact creation
Expected Results
• Regulation-driven policy framework
• Compliance-driven process re-engineering
• Compliance toolkit • Privacy-enhancing technologies • Data management tools • User-centered tools
• Process discovery and mining tool for enabling traceability and adaptability
• Compliance-as-a-Service (CaaS) • Cloud deployment and integration, fostering compliance to be offered as-a-service • Out-of-the-box compliance for SMEs, added-value for service providers
• An innovative holistic approach resulting in sustainable business models
Use Cases
• Use Case 1: Own data and infrastructure • Use case domain: eGovernment services in the healthcare and social security sectors • Very sensitive data and operations • Own infrastructure, internally operated systems • Data exchange with other organisations • Partner: E Government Center for Social Security Services S.A. (IDIKA)
• Use Case 2: Compliance-as-a-Service for cross-organisational applications • Use case domain : Automotive management • Multiple and heterogeneous stakeholders, cooperating in a B2B ecosystem • Cloud-based systems • Partner: CAS Software AG (CAS)
• Use Case 3: Cloud-supported very small organisations • Use case domain: Real estate • Very small organisations • All systems typically outsourced • Partner: Innovazioni Tecnologiche (INNO)
Concept and Approach
Process identification
Process implementation
Process redesign
Process execution
Process analysis
Process monitoring
and controlling
(Re)engineering of internal control
Modelling of compliance requirements
Assessment of risks
BPR4 GDPR
Process discovery
Identification of risks
Operational adaptation
Execution of internal control
Enforcement of compliance requirements
Storage, mining, traceability
Process design
Concept and Approach Process
identification
Process implementation
Process redesign Process execution
Process analysis Process monitoring & controlling
BPR4 GDPR
Process discovery
Process design
Process discovery
mechanisms
Process modelling tools
Organisation Process models
Goal: Procedures and information flows formalisation within an organisation
How: Process discovery mechanisms or through graphical process modelling tools
Outcome: Process models for further analysis
Process identification
Process implementation
Process redesign
Process execution
Process analysis Process monitoring
& controlling
BPR4 GDPR
Process discovery Process design
Rule based access & usage
control
Compliance ontology
GDPR
Process verification and adaptation tool
Process discovery
mechanisms
Process modelling tools
Organisation Process models
Compliant Process Models
Reasoning & Knowledge extraction
Po
licy
Fram
ewo
rk
Compliance metamodel
Goal: • Assess compliance of existing organisation processes to GDPR • Appropriately adapt non-compliant processes
How: Compliance metamodel, subject to verification and adaptation, against policy framework
Outcome: Specifications of compliant workflow models, enhanced with sophisticated privacy constraints enforceable at run time
Concept and Approach
Process identification
Process implementation
Process redesign Process
execution
Process analysis Process monitoring & controlling
BPR4 GDPR
Process discovery Process design
Compliance toolkit
Rule based access & usage
control
Compliance ontology
GDPR
Process verification and adaptation tool
Process discovery
mechanisms
Process modelling tools
Organisation Process models
Compliant Process Models
Reasoning & Knowledge extraction
Po
licy
Fram
ewo
rk
Compliance metamodel
Goal: Compliant process enactment and execution
How: Compliance toolkit (privacy-enhancing tools, data management tools, user centered tools)
Outcome: • Guidelines for process and resources adaptation into existing
technological contexts • Compliant process execution environments
Concept and Approach
Process identification
Process implementation
Process redesign Process execution
Process analysis Process monitoring
& controlling
BPR4 GDPR
Process discovery Process design
Compliance toolkit
Rule based access & usage
control
Compliance ontology
GDPR
Process verification and adaptation tool
Process discovery
mechanisms
Process modelling tools
Organisation Process models
Compliant Process Models
Reasoning & Knowledge extraction
Polic
y Fr
amew
ork
Compliance metamodel
Goal: Monitoring of process execution regarding compliance
How: Process mining focused on compliance awareness
Outcome: • Continuous monitoring and control of processes • Indication of compliance deviations, for adaptation and
alignment thereof
Concept and Approach
Work Structure
WP
2:
Use
cas
es,
re
qu
ire
me
nts
an
d a
rch
ite
ctu
re
WP
7:
Imp
act
cre
atio
n
WP 1: Project management
WP 3: Policy framework
WP 4: Privacy-aware process re-engineering
WP 5: Compliance toolkit
WP
6:
Ass
ess
me
nt,
tr
ials
an
d v
alid
atio
n
Implementation Roadmap
Compliance toolkit
Rule based access & usage
control
Compliance ontology
GDPR
Process verification and adaptation tool
Process discovery
mechanisms
Process modelling tools
Organisation Process models
Compliant Process Models
Reasoning & Knowledge extraction
Polic
y Fr
amew
ork
Compliance metamodel
Task 2.2 Regulatory analysis
Task 4.3: Process discovery and continuous adaptation
Task 3.1: Compliance ontology
Task 3.2: Rule based access & usage control
Task 3.3: Reasoning and knowledge extraction
Task 4.2: Process verification and adaptation
Task 4.1: Compliance metamodel
WP5: Compliance toolkit Task 5.1: Privacy-enhancing tools Task 5.2: Data Management Tools Task 5.3: User-Centered tools
Work timing and Milestones
Regulatory analysis • Workflow Metamodel • Policy Model Ontology
Data protection impact analysis • Report on the data protection
impact analysis of the project use cases
Preliminary BPR4GDPR trials complete • BPR4GDPR solutions successfully
deployed at use cases’ infrastructure • Preliminary trials execution
Final prototypes of BPR4GDPR technology • Policy framework • Process re-engineering mechanisms • Compliance toolkit
Architecture and compliance ontology definition • Use cases and requirements (1st version) • First version of the compliance ontology • First version of BPR4GDPR architecture First prototypes of BPR4GDPR technology
• Policy framework • Process re-engineering mechanisms • Compliance toolkit
Refined architecture definition • Final version of the compliance
ontology • Final version of BPR4GDPR architecture
Trial demonstration of the achievements • Final BPR4GDPR solutions
successfully deployed • Final trials execution
M0 M36
M30
M25
M20
M18
M12
M10
M6
Impact Creation
• Expected impacts • Support for fundamental rights in digital society • Increased trust and confidence in the Digital Single Market • Increase in the use of privacy-by-design principles in ICT systems and services • Impact on the market and European competitiveness • Scientific and technical impact
• Measures to achieve impact • BPR4GDPR User Community • Dissemination • Liaison and standardisation • Exploitation
Join our BPR4GDPR User Community
• User profiles: end-users and other stakeholders related to data protection
• Community Goals: • Raising awareness regarding data protection • Feeding the project with scenarios, use cases, and requirements, both functional
and non-functional • To comprise the target base for the performance of surveys, that will be useful for
assessing the needs and requirements, as well as the project work • The evaluation of BPR4GDPR technologies and results • The participation in BPR4GDPR workshops and related events • The mid- and long-term adoption of BPR4GDPR solutions.
Liaison and Standardisation
Y1Q1 Y1Q2 Y1Q3 Y1Q4 Y2Q1 Y2Q2 Y2Q3 Y2Q4 Y3Q1 Y3Q2 Y3Q3 Y3Q4
Creation of W3C Community Groups:• Workflow Metamodel• Policy Model Ontology
Workflow Privacy Patterns
Creation of ETSI ISG on Workflows Security & PrivacyWorkflow Patterns
security & privacy review
NESSI position paper
BPM CenterReports
Liaison with ENISA, IAPP, ETSI, OMG, CSA, OASIS, etc.
Exploitation
• Large software industries will improve their tools and revenues, either by offering Compliance-as-a-Service or by embedding compliance into their products.
• SMEs (end-users), that typically do not have the resources to rapidly adapt to strict regulatory provisions, will have in place flexible and cost-efficient instruments for injecting compliance into their offerings.
• Innovation SMEs will develop and mature innovative solutions, aiming at improving their position in the emerging data protection market.
• Law firms will have at their disposal a novel exploitable consultancy toolset in terms of legislation codification, compliance assessment and solutions implementing GDPR-compliance.
• Data Protection Authorities will benefit by deploying mechanisms for the automation of GDPR compliance, while they will engage in liaisons with other European Data Protection Authorities.
Project Consortium
Contact us
• www.bpr4gdpr.eu
• @BPR4GDPR
• BPR4GDPR
• .
BPR4GDPR coordinator Technical Coordinator
Dipl.-Inform. Spiros Alexakis MSc. Kalaboukas Konstantinos
[email protected] [email protected]
Policy Framework Leader Scientific & Dissemination Leader
Dr.-Ing. Georgios V. Lioudakis Dr.-Ing. Marwan Hassani
Thank you!
BPR4GDPR 31/07/2018 22
Acknowledgements:
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement No 787149.
Visit us:
www.bpr4gdpr.eu
